3D Secure Integration

ACS Initiated SPC

On this page:

In the ACS initiated SPC flow, the Issuer’s ACS decides that a challenge is needed and initiates SPC. Your back-end still sends the same Authenticate Request; the difference is that the ACS drives the decision to use SPC and runs the challenge. You then send a Result Request to retrieve the final outcome.

ACS Initiated SPC flow diagram

sequenceDiagram participant CARDHOLDER as Cardholder participant FRONTEND as Client Front-End participant BACKEND as Client Back-End participant 3DS_SERVER as Ravelin 3D Secure participant ACS as Issuer ACS FRONTEND ->> BACKEND: PAN & Browser Info BACKEND ->> 3DS_SERVER: Version Request 3DS_SERVER ->> BACKEND: Version Response BACKEND ->> FRONTEND: Method Details FRONTEND ->> ACS: Method Request ACS ->> FRONTEND: Collect browser info [e.g. SPC support] (Managed by ACS in iframe) FRONTEND ->> ACS: Browser info such as SPC API support FRONTEND ->> BACKEND: Method Notification (Initiated by ACS from iframe) BACKEND ->> FRONTEND: Method Notification Response FRONTEND ->> BACKEND: Start Authentication BACKEND ->> 3DS_SERVER: Authenticate Request 3DS_SERVER ->> BACKEND: Authenticate Response FRONTEND --> ACS: If a challenge is required BACKEND ->> FRONTEND: Challenge Details FRONTEND ->> ACS: Challenge Request (CReq) ACS ->> FRONTEND: Challenge [HTML renders native PaymentRequest UI] (Managed by ACS in iframe) FRONTEND ->> CARDHOLDER: FIDO Authentication CARDHOLDER ->> FRONTEND: Assertion data sent to ACS for Verification (Managed by ACS in iframe) FRONTEND ->> ACS: Assertion data FRONTEND ->> BACKEND: Challenge Notification (CRes) (Initiated by ACS from iframe) BACKEND ->> 3DS_SERVER: Result Request 3DS_SERVER ->> BACKEND: Result Response

See the main 3DS Browser Integration Guide for the general integration steps for collecting browser info, version request and method request.

This page documents only how the flow differs from the traditional browser flow.

Authenticate Request (ACS Initiated SPC)

Your back-end sends an Authenticate Request with messageVersion 2.3.1. The ACS may decide to require a challenge and use SPC; that decision is made by the issuer.

The Method request MUST have completed before sending the Authenticate Request so if the Cardholder has an browser which supports the SPC API they will know about before making a decision on challenge flows.

See the 3D Secure API reference for full details.

Important Fields

The fields below are of importance in the 1st Authenticate Request:

  • messageVersion message version MUST be 2.3.1 (or higher) to be supported. It is not supported on earlier versions of the protocol.
  • threeDSRequestorSpcSupport this field MUST be omitted or you could trigger the 3DS Requestor initiated flow by mistake.

Example Authenticate Request for ACS Initiated SPC:

{
  "timestamp": 1772035923180,
  "areqData": {

    "messageVersion": "2.3.1"

  }
}

The response is handled exactly the same as a regular Browser challenge flow.

Authenticate Response (ACS Initiated SPC)

The Authenticate Response shows a challenge is required.

See the 3D Secure API reference for full details.

Important Fields

The fields below are of importance in the 1st Authenticate Response:

Example Authenticate Response when the ACS initiates SPC:

{
  "status": 200,
  "timestamp": 1772035924,
  "cardScheme": "Ravelin",
  "data": {
    "threeDSServerTransID": "78d84802-aa2a-4f23-b34d-b324140d117a",
    "acsChallengeMandated": "N",
    "acsReferenceNumber": "mock-acs-reference-number",
    "acsTransID": "8fefadbf-199e-4056-ab2a-1791b5fdea39",
    "acsURL": "http://ingress-mock-access-control/3ds/acs/browser/creq",
    "authenticationType": "02",
    "authenticationValue": "bG9va2l0c2FuZWFzdGVyZWdnIQo=",
    "broadInfo": null,
    "dsReferenceNumber": "mock-directory-server-a",
    "dsTransID": "489f6037-191a-4d58-a7de-5b3a6b8f13cd",
    "messageType": "ARes",
    "messageVersion": "2.3.1",
    "transStatus": "C",
    "threeDSRequestorAppURLInd": "N",
    "authenticationMethod": [
      "14"
    ]
  }
}

Challenge Request and Response (ACS Initiated SPC)

The rest of the flow continues exactly the same as the Browser Challenge Request.

The Rendering of the native PaymentRequest UI, FIDO Authentication, sending of assertion data is all handled in the HTML of the iframe returned by the ACS during the challenge flow.

You will need to amend the Permissions-Policy on the iframe rendered by the ACS to make sure it has access to the SPC API and on-device Passkey.

Feedback

© Ravelin Technology Ltd. All rights reserved